Frequently Asked Questions

My Account > Frequently Asked Questions > Domain Management > How do I set up DNSSEC?

How do I set up DNSSEC?

For the overall implementation of DNSSEC, two record types are required: DNSKEY and DS. The DNSKEY record contains a public signing key, and the DS record contains a hash of a DNSKEY record.

Our partner that powers Gen.xyz provides the ability to save DS records, but does not support full DNSSEC signing using the default nameservers. A domain needs to be hosted and signed elsewhere, and your provider will give you the DS record(s) that need(s) to be added on our end.

DNSSEC records can only be set by contacting support.

For DNSSEC requests, please open a support ticket and request that the records be added by supplying the data in the below required formats.

DNSKEY:
We are unable to accept or save DNSKEY records.
After you have signed a domain with DNSSEC using your DNS host, DNSKEY should already be saved on your nameservers. DNSKEY is not needed at the registrar level to complete your DNSSEC signing. 

You can use this tool to check that your DNSKEY records are all set on your host's end, before you send us the DS records:
https://dnssec-analyzer.verisignlabs.com

DS Records:
After you have signed a domain with DNSSEC using your DNS host, please open a support ticket and provide the DS record(s) to Support in order to tie DNSSEC for your domain into the .xyz zone.

To add DS records, please provide all the components in this exact DS record format:
mydomain.xyz. 86400 IN DS 60485 5 1 ( 2BB183AF5F22588179A53B0A98631FAD1A292118 )

Here are the components from the above example DS record:

Domain Name - example: mydomain.xyz
Time to live - example: 86400
Class name - example: IN
DNS record type - example: DS
Key Tag - example: 60485
Algorithm - example: 5
Digest Type - example: 1
Digest - example: ( 2BB183AF5F22588179A53B0A98631FAD1A292118 )


Below are DNSSEC options available at Gen.xyz:

DNSSEC
Enabled / Disabled

DS RECORDS
Key Tag, Digest Type, Digest, Algorithm

     Key Tag: An integer value less than 65536 that identifies the DNSSEC record for this domain name.
     Example: 60485

     Digest Type: The algorithm type that constructs the digest.
     Options:
     1 - SHA-1
     2 - SHA-256

     Digest: The digest is an alpha-numeric value.
     Example: D4B7D520E7BB5F0F67674A0C CEB1E3E0614B93C4F9E99B83 83F6A1E4469DA50A

     Algorithm: The cryptographic algorithm that generates the signature.
     Options:
     3 - DSA/SHA1
     5 - RSA/SHA-1
     6 - DSA-NSEC3-SHA1
     7 - RSASHA1-NSEC3-SHA1
     8 - RSA/SHA-256
     10 - RSA/SHA-512
     12 - ECC-GOST
     13 - ECDSA P256 SHA256
     14 - ECDSA P384 SHA384

Was this answer helpful?

Also Suggested